[Bug 1235975] Re: Unsafe file and directory permissions
Barry Warsaw
1235975 at bugs.launchpad.net
Tue Oct 15 14:06:13 UTC 2013
I think I was a bit too aggressive in 1.9 in fixing this, especially in
light of LP: #1233521
Here's the breakdown of directories and files, and what I think we
should do for each:
[system]tempdir - by default /tmp
- This directory should already exist, and we don't own it, so do not chmod if it exists. If it doesn't exist, we'll create it with 02700
- random subdir is created using Python's tempfile.mkdtemp() method, which creates it securely <http://docs.python.org/3/library/tempfile.html#tempfile.mkdtemp>. We call this function with prefix='system-image-' and dir=<[system]tempdir> so you'll end up with directories like /tmp/system-image-0ft3jq mod 700 owned by uid:gid of the process.
Thus there should be nothing we need to do with tempdir above what
Python already does, unless we have to create the directory.
[system]logfile - by default /var/log/system-image/client.log
We'll create the log file with 0600 and chmod it to that if it already exists, since we own it. If the parent directory already exists, we'll chmod it to 02700 since we should assume that we own it. If it doesn't exist, we'll create it with 02700.
Note that it's possible someone would change the client.ini file to put
the log file in a location we *don't* own, e.g. /var/log/client.log. In
that case /var/log could get chmod'd to an unexpected mode. It's not
clear to me what we can do about that other than say "Don't Do That".
[updater]cache_partition - by default /android/cache/recovery
We don't own this so we should not chmod it. If it doesn't exist, we'll create it 02700 (but it should always exist except in the test suite).
[updater]data_partition - by default /var/lib/system-image
(This will contain subdirectories, such as `keyrings`)
Create this, and subdirs, with 02700. If this directory (and subdirs) exist, chmod them to 02700. Similar to the discussion above, if someone changes it to point to an existing directory we don't own (e.g. /var/lib itself), then we could end up chmoding it unexpectedly. "Don't Do That" also applies here.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to system-image in Ubuntu.
https://bugs.launchpad.net/bugs/1235975
Title:
Unsafe file and directory permissions
Status in Ubuntu system image (server/client/updater):
Fix Released
Status in “system-image” package in Ubuntu:
Fix Committed
Bug description:
# ls -ld /var/log/system-image/
drwxrwxrwx 2 root root 4096 Sep 24 16:02 /var/log/system-image/
# ls -l /var/log/system-image/client.log
-rw-rw-rw- 1 root root 23927 Oct 6 09:11 /var/log/system-image/client.log
# ls -ld /tmp/system-image/
drwxrwxrwx 2 root root 260 Oct 6 09:11 /tmp/system-image/
Also, predictable temporary file (/tmp/system-image). This was
mentioned in bug #1233521
# system-image-cli -i
current build number: 78
device name: mako
channel: stable
last update: 2013-10-03 13:05:32
version version: 78
version ubuntu: 20131003
version device: 20131002.1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-system-image/+bug/1235975/+subscriptions
More information about the foundations-bugs
mailing list